a0 841mmx1189mm

A0841mmx1189mm

Tomohisa Egawa, Naoki Nishimura, and Kenichi Kourai (Kyushu Institute of Technology)

Secure Out-of-band Remote Managementin Infrastructure as a Service

Remote Management in IaaSOut-of-band remote management is useful

Users access their VMs via the management VMEven on network/system failures in the VMs

Network configuration errors, OS crashes, etc.

Management VM can be compromised by outside attackers or abused by IaaS administratorsSuch attackers can steal sensitive information of user VMs

Keystorokes, screenshots, etc.

FBCrypt protects sensitive information against the attackers in the management VM

By encrypting the inputs and outputs between a VNC client and a user VM using the VMMKeyboard/pointer inputs and framebuffer updates

FBCrypt

The Management VM is Not Always Trustworthy

FBCrypt performs remote attestation of the VMMTo guarantee the integrity of a booted VMM

The VMM is protected against the management VM by memory protection

The attackers cannot access code and data of the VMM

Protecting the VMM inside IaaS

The VMM decrypts the inputs encrypted by a VNC clientIt converts these encoding, instead of a VNC serverThe integrity of the inputs is also checked with the MACThe decrypted inputs are written into the I/O ring

Encrypting InputsThe VMM replicates a VFB and encrypts the replica

It synchronizes the two VFBs when pixel data is updatedA VNC server sends encrypted pixel data in the replica and

a VNC client decrypts them

Encrypting a Framebuffer

Experiments

User

VNCclient eavesdrop

password & screenshot

Informationleakage

VPN

IaaS

user VMmanagement VM

VNC server

attacker

VNC serverkey encrypt

user VMmanagement VMVNC client

VMM

screen decrypt

screen encrypt

key decrypt

0

20

40

60

80

100

120

140

Response Time Keyboard (ms)

113 120

original FBCrypt 0

50

100

150

200

250

Response Time Full-screen update (ms)

146192

original FBCrypt

We examined the response time in the client sideBy the keyboard input VNC client received updated

pixel data from the VNC server By the keyboard input VNC client received full screen

(800x600) updated data and re-drew the full screen

server Xen-4.1.1

client Tight-VNC Java viewer

VNC serverkey encrypt

user VMmanagement VMVNC client

VMM

decrypt& convert

I/O ring

Integritycheck

VNC serverscreen decrypt

user VMmanagement VMVNC client

VMMscreen encrypt

VFBVFBmonitor

I/Oring

User

VNCclient

IaaS

VNCserver

management VM

virtualdevices

user VMuser VM

user VM

VMM

managementVM

Verifier

signed measuament

TPM Hardwarehash